Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Fri, 08 Aug 2014 22:41:25 +0200
From: Yves-Alexis Perez <corsac@...ian.org>
To: oss-security@...ts.openwall.com
Subject: Re: BadUSB discussion

On ven., 2014-08-08 at 09:49 -0700, Greg KH wrote:
> > 
> > Personally I would prefer disabling USB hotplug while a machine is locked
> > (or while there are no active TTYs or something for servers).  Even if HID
> > was whitelisted while the machine is locked, it would be a great start.
> 
> Then do just that, Linux has allowed you to do this for years, again,
> but very few people take advantage of it.

Reading that thread, that's exactly what I thought about that. I guess
it could be a good idea to set usbcore.authorized_default to 0 when the
systems is locked (logind could provide that information). There's still
the issue that it's then not possible to unlock the system in some
situation (for example because you had to unplug the keyboard while
logged out, or stuff like that). But at least that would be a
possibility.
> 
> > In regards to the PCI stuff, don't miss Joe's talk at DEFCON on Sunday.
> > 
> > https://www.defcon.org/html/defcon-22/dc-22-speakers.html#FitzPatrick
> > 
> > People have much more exposed PCI on their laptops and servers than they
> > realize.  It's super cheap, super easy, and when we start selling kits this
> > afternoon, it's going to be super accessible.
> 
> express card and thunderbolt are pcie, it's fun to play with, glad to
> see some "kits" to make it more accessable.
> 
> > VTd/IOMMU would be nice to have if implemented properly, but it seems like
> > even OSX, the only OS currently using VTd as a security feature, still
> > hasn't gotten it quite right.
> 
> What exactly do you mean by "get it right"?

I lost track of the current OSX status, but I had the impression that
they would only enable Vt-d (where present) when the systems was locked,
not always.

Note that on Linux, you can boot intel_iommu=on (or force it at compile
time). I do that since a long time now (actually since I myself found
bugs in network cards firmwares which I then used to bounce to the host,
that raised my own paranoïa quite a lot). I also discovered that I/OMMU
(like any firmware) can be buggy too (for example on my ironlake system
I need intel_iommu=on,igfx_off for it to work), but it's apparently
better on more recent Intel systems.

Regards,
-- 
Yves-Alexis

Download attachment "signature.asc" of type "application/pgp-signature" (474 bytes)

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.